Truncated SubStatus/Status for 4625 events

Hello Will,

In a clean virtualenv with master's python-evtx (b0bc27060829138e14a6eb8711337212e6c01a54), some fields appears to be truncated. I have isolated the bug to a single EVTX file that I will send to your gmail address right away. 

```
$ virtualenv/bin/python scripts/evtx_dump.py  min.evtx
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>

<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000</Keywords>
<TimeCreated SystemTime="2017-03-03 07:43:34.287577"></TimeCreated>
<EventRecordID>12176434</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="1068" ThreadID="1140"></Execution>
<Channel>Security</Channel>
<Computer>xxx</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">xxxx</Data>
<Data Name="SubjectDomainName">xxxx</Data>
<Data Name="SubjectLogonId">0x00000000000003</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">xxx</Data>
<Data Name="TargetDomainName">xxx</Data>
<Data Name="Status">0xc00000</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc00000</Data>
<Data Name="LogonType">10</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">xxxx</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000002a</Data>
<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
<Data Name="IpAddress">1.2.3.4</Data>
<Data Name="IpPort">1100</Data>
</EventData>
</Event>
</Events>
```
If you compare that output to the following eventviewer's screenshot, you see that `SubStatus` and `Status` are truncated in the process.

![eventviewer](https://user-images.githubusercontent.com/115087/27297820-b00cf688-5526-11e7-9e67-cb3c7f7251a7.png)

Am I missing something?

My minimal script to investigate is the following:

```
$ cat test_status.py
import Evtx.Evtx as evtx
import logging
from lxml import etree
import sys

logging.basicConfig(level=1, format="%(asctime)s %(name)8s %(levelname)5s: %(message)s")

ns = {'event': 'http://schemas.microsoft.com/win/2004/08/events/event'}
with evtx.Evtx('min.evtx') as log:
  for record in log.records():
     r = record.lxml()
     eid = int(r.xpath('/event:Event/event:System/event:EventID', namespaces=ns)[0].text)
     if eid != 4625:
         continue
     print r.xpath("/event:Event/event:EventData/event:Data[@Name='SubStatus']", namespaces=ns)[0].text
$ virtualenv/bin/python test_status.py
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: FILE HEADER at 0x0.
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: CHUNK HEADER at 0x1000.
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: Record at 0x1200.
2017-06-19 19:34:12,888 Evtx.Evtx DEBUG: Record at 0x1e50.
0xc00000
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Truncated SubStatus/Status for 4625 events #38

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Truncated SubStatus/Status for 4625 events #38

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions